AWS IAM policy for Event-Bridge to SQS with deny

Question

I want to restrict my sqs to accept only from event-bridge rule, below IAM rule looks correct with deny in place, but sqs not receiving message with this, any input appreciated.

{   "Id": "Policy",   "Version": "2012-10-17",   "Statement": [
    {
      "Sid": "sid",
      "Action": [
        "sqs:SendMessage"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:sqs:us-east-1:***:sri-test-queue-3",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": "arn:aws:events:us-east-1:***:rule/sri-test-bus/sri-test-sqs-rule"
        }
      },
      "Principal": "*"
    }   ] }

The one generated by Event-bridge to allow sqs access looks like this

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "AWSEvents_sri-test-sqs-rule_Id12",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:***:sri-test-queue-3",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:events:us-east-1:***:rule/sri-test-bus/sri-test-sqs-rule"
        }
      }
    }
  ]
}

it allows other resources also to post messages to SQS, ex: lambda from same account can post messages as it has sqs:* access — Srini, Sep 30 '22 at 21:01

score 0 · Answer 1 · answered Oct 01 '22 at 03:12

0

Use the bottom policy. SQS policy denies by default, so you do not need to worry about other resources posting messages to SQS. The policy would allow only arn:aws:events:us-east-1:***:rule/sri-test-bus/sri-test-sqs-rule to send the messages.

The problem with the policy statement you wrote was that you did not have an "Allow" statement, so SQS is denying SendMessage actions from every source.

answered Oct 01 '22 at 03:12

Desk Reference

13
1
3

the bottom policy end up in allowing other resources to post messages as well, like lambda, but i want only the event bridge to be able to post message, so it has to be with deny – Srini Oct 04 '22 at 00:51
@Srini No. The bottom policy only allows resources that match the ARN to post the message. You want to "allow" the EventBridge rule to post the message. There is no point using "deny". You can test the bottom policy by try sending a message from a Lambda (it will fail). – Desk Reference Oct 04 '22 at 13:57
I tried testing this, lambda is able to post the message to SQS, since lambda IAM role itself having access to sqs:* access, though it is not part of SQS resource policy whitelisting, which is not what i am looking for – Srini Oct 05 '22 at 01:32

score 0 · Accepted Answer · answered Oct 05 '22 at 20:16

We just had to put some combination of principalTypes to achieve this, below one worked finally

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ownerstatement",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:xxxx:sri-test-queue-3"
    },
    {
      "Sid": "DenyAllExceptBus",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:xxxx:sri-test-queue-3",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": [
            "arn:aws:events:us-east-1:xxxx:rule/sri-test-bus/sri-test-sqs-rule"
          ]
        }
      }
    }
  ]
}

AWS IAM policy for Event-Bridge to SQS with deny

2 Answers2